From nobody Sun Oct  5 20:51:48 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cfvhj3HnPz6BfPr;
	Sun, 05 Oct 2025 20:51:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cfvhj0Hg6z3w3f;
	Sun, 05 Oct 2025 20:51:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1759697509;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Zcgh86PhGD9nYzG86Cdef856Xzie2RS67QsRqIyWvLI=;
	b=GPtWt6ChZLanZ+AiZmzy2BTWo/BVfjkmOb1UiJUcZn3dq0eGWkbpYeRddaVdZK8RC6k011
	h7hM4Wnt55MqjJUDJyhq43Fwro2rY5U7GC83HtnGPeb5zTlQpFNlVFvpOLpCZbSy4Sq8J/
	yVC2WUnsYbev6RW2LPVcJ1/vaYzTWkgaLMCAB4v8F6TN0Vpyz04KdZukyj1dXhVZE43X2Z
	zR+jUyJmbHNkWI8NdGu69NdK8jy2CCDcTdsWWaVviLyUJ5YTkTgPBscj4TxTfRw8vGVkVe
	HrvAr5wA5cY7XyG8XMuI9YpanMjuTrWY2VwFAfEwsARb9GeXGBCra88Rczk63Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1759697509;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Zcgh86PhGD9nYzG86Cdef856Xzie2RS67QsRqIyWvLI=;
	b=I1C9SM0w8rI++VfrR2FGfEWlVcWQ1L5u1d3X1ikDazOynOLcUPydnazj5uxQqnZPUahDbd
	0bLTj8eDRO/Pa3I/Xd+fgCgpV+8WaQiueVeZ7J6krZguS2wEwv0+f73Elxbh635qFxGhMY
	YA2XpmJpEc5quVK5r3Xh3PZHG+YCQdyOSpzP4glupQtmhhRGOwHQZSd97JbXN6XqRFHjx9
	JIzR2WI4oRi1L+EHdmdAYshpuvJIHOa6wggCxUV0sTOFgtmvsm0HN+ax2eqVbRV9gaTowl
	1ywv97JNGPzVseh55oIRCZKjoYe4TTUwggF1kcQHyyf40soxj8XFQ8IXwOoj4g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759697509; a=rsa-sha256; cv=none;
	b=Cr5ASpzpi46OX598xDgD8aTAeZCDM+pHXFt7EpaXi4wW9QZwy9WOMGfvgldwNdbPJ8tD8C
	tYZO3w5+aAU95IuE9kS7qollB7lIBxqbmaP2CQv3ZdLWjbUg6eajvPy5pucuSDAKEINQPD
	B5FnvMrbJYjSg+wOkjuW1QR7+RQsOPWUb8PBqdEnpzY1igmcHXlFSDR6KzKizEdJTztwaL
	Faxy2Ix/raAFoBUpHhpSRfgfDlP/fDqOYGxTntS/6F6QpVEADRK5/q48uUgygE7JgcPQOy
	q7Nd/QRgAS/zQl7JgoO0N0p7Qk1Tql2EE2REkZ+Ayg1xRFturvWdwInZswH/VQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cfvhh6wCKzCpB;
	Sun, 05 Oct 2025 20:51:48 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 595KpmAV039973;
	Sun, 5 Oct 2025 20:51:48 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 595KpmAG039970;
	Sun, 5 Oct 2025 20:51:48 GMT
	(envelope-from git)
Date: Sun, 5 Oct 2025 20:51:48 GMT
Message-Id: <202510052051.595KpmAG039970@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: ff566e6b9b8f - stable/15 - pf: fix 'natpass'
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: ff566e6b9b8fad0dc51184fa80e3b1269781f580
Auto-Submitted: auto-generated

The branch stable/15 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=ff566e6b9b8fad0dc51184fa80e3b1269781f580

commit ff566e6b9b8fad0dc51184fa80e3b1269781f580
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-09-30 17:40:08 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-10-05 20:47:34 +0000

    pf: fix 'natpass'
    
    If an rdr (or nat) rule specifies 'pass' we don't run the filter rules, we just
    pass the traffic. Or at least, we did until that got unintentionally broken.
    Restore that behaviour and add a test case.
    
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D52838
    
    (cherry picked from commit b93394a38bc41f8afceaf0c03ed5d8b8b5a9aefb)
---
 sys/netpfil/pf/pf.c         | 59 ++++++++++++++++++++++++---------------------
 tests/sys/netpfil/pf/rdr.sh | 58 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+), 27 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 9637c25f7a76..8d3d72148815 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5939,37 +5939,42 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
 		ctx.nat_pool = &(ctx.nr->rdr);
 	}
 
-	ruleset = &pf_main_ruleset;
-	rv = pf_match_rule(&ctx, ruleset, match_rules);
-	if (rv == PF_TEST_FAIL) {
-		/*
-		 * Reason has been set in pf_match_rule() already.
-		 */
-		goto cleanup;
-	}
-
-	r = *ctx.rm;			/* matching rule */
-	ctx.a = *ctx.am;		/* rule that defines an anchor containing 'r' */
-	ruleset = *ctx.rsm;		/* ruleset of the anchor defined by the rule 'a' */
-	ctx.aruleset = ctx.arsm;	/* ruleset of the 'a' rule itself */
+	if (ctx.nr && ctx.nr->natpass) {
+		r = ctx.nr;
+		ruleset = *ctx.rsm;
+	} else {
+		ruleset = &pf_main_ruleset;
+		rv = pf_match_rule(&ctx, ruleset, match_rules);
+		if (rv == PF_TEST_FAIL) {
+			/*
+			 * Reason has been set in pf_match_rule() already.
+			 */
+			goto cleanup;
+		}
 
-	REASON_SET(&ctx.reason, PFRES_MATCH);
+		r = *ctx.rm;			/* matching rule */
+		ctx.a = *ctx.am;		/* rule that defines an anchor containing 'r' */
+		ruleset = *ctx.rsm;		/* ruleset of the anchor defined by the rule 'a' */
+		ctx.aruleset = ctx.arsm;	/* ruleset of the 'a' rule itself */
 
-	/* apply actions for last matching pass/block rule */
-	pf_rule_to_actions(r, &pd->act);
-	transerror = pf_rule_apply_nat(&ctx, r);
-	switch (transerror) {
-	case PFRES_MATCH:
-		/* Translation action found in rule and applied successfully */
-	case PFRES_MAX:
-		/* No translation action found in rule */
-		break;
-	default:
-		/* Translation action found in rule but failed to apply */
-		REASON_SET(&ctx.reason, transerror);
-		goto cleanup;
+		/* apply actions for last matching pass/block rule */
+		pf_rule_to_actions(r, &pd->act);
+		transerror = pf_rule_apply_nat(&ctx, r);
+		switch (transerror) {
+		case PFRES_MATCH:
+			/* Translation action found in rule and applied successfully */
+		case PFRES_MAX:
+			/* No translation action found in rule */
+			break;
+		default:
+			/* Translation action found in rule but failed to apply */
+			REASON_SET(&ctx.reason, transerror);
+			goto cleanup;
+		}
 	}
 
+	REASON_SET(&ctx.reason, PFRES_MATCH);
+
 	if (r->log) {
 		if (ctx.rewrite)
 			m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
diff --git a/tests/sys/netpfil/pf/rdr.sh b/tests/sys/netpfil/pf/rdr.sh
index f7c920bbfa8f..24b95b2047f4 100644
--- a/tests/sys/netpfil/pf/rdr.sh
+++ b/tests/sys/netpfil/pf/rdr.sh
@@ -281,8 +281,66 @@ srcport_pass_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "natpass" "cleanup"
+natpass_head()
+{
+	atf_set descr 'Test rdr pass'
+	atf_set require.user root
+}
+
+natpass_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	epair_link=$(vnet_mkepair)
+
+	ifconfig ${epair}a 192.0.2.2/24 up
+
+	vnet_mkjail alcatraz ${epair}b ${epair_link}a
+	jexec alcatraz ifconfig lo0 inet 127.0.0.1/8 up
+	jexec alcatraz ifconfig ${epair}b inet 192.0.2.1/24 up
+	jexec alcatraz ifconfig ${epair_link}a 198.51.100.1/24 up
+	jexec alcatraz sysctl net.inet.ip.forwarding=1
+
+	vnet_mkjail srv ${epair_link}b
+	jexec srv ifconfig ${epair_link}b inet 198.51.100.2/24 up
+	jexec srv route add default 198.51.100.1
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore \
+	    ping -c 1 192.0.2.1
+	atf_check -s exit:0 -o ignore \
+	    jexec alcatraz ping -c 1 198.51.100.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+	    "rdr pass on ${epair}b proto udp from any to 192.0.2.1 port 80 -> 198.51.100.2" \
+	    "nat on ${epair}b inet from 198.51.100.0/24 to any -> 192.0.2.1" \
+	    "block in proto udp from any to any port 80" \
+	    "pass in proto icmp"
+
+	echo "foo" | jexec srv nc -u -l 80 &
+	sleep 1 # Give the above a moment to start
+
+	out=$(echo 1 | nc -u -w 1 192.0.2.1 80)
+	echo "out ${out}"
+	if [ "${out}" != "foo" ];
+	then
+		jexec alcatraz pfctl -sn -vv
+		jexec alcatraz pfctl -ss -vv
+		atf_fail "rdr failed"
+	fi
+}
+
+natpass_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
+	atf_add_test_case "natpass"
 	atf_add_test_case "tcp_v6_compat"
 	atf_add_test_case "tcp_v6_pass"
 	atf_add_test_case "srcport_compat"